Last modified: 2011-04-14 15:14:27 UTC
Seems that the method detectScript() returns false positives: valid JPG files are rejected. Here is an example: http://upload.wikimedia.org/wikipedia/commons/3/3e/Mozart_magic_flute.jpg I'm not able to upload this image (url) on my own Mediawiki instance (trunk). I always get the 'uploadscripted' error. I think the comment in the JPG file deceives the PHP code.
Yes, Internet Explorer interprets valid JPG files as scripts. That's the problem. We must mimic IE's behaviour in order to protect against Cross-Site Scripting attacks.
I work with a picture source which I trust and have currently to hack the code to avoid this check. Is that an option to add a config. parameter to allow the deactivation of all this security check by image upload?